paypoint implementation guide / / / /

Similar documents
paypoint implementation guide

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

PCI PA-DSS Implementation Guide

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Catapult PCI Compliance

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

How To Protect Your Data From Being Stolen

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Ruby VASC Instructor Guide

Implementation Guide

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

PLACE GROUP UK LONDON STUDENT HOUSING GROUP PAYMENT CARD INDUSTRY DATA SECURITY STANDARD COMPLIANCE STATEMENT PCI DSS (09) VERSION: 2009PCIDSSP4S01

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

Credit Card Security

Qualified Integrators and Resellers (QIR) Implementation Statement

Viterbo University Credit Card Processing & Data Security Procedures and Policy

University of Sunderland Business Assurance PCI Security Policy

Josiah Wilkinson Internal Security Assessor. Nationwide

PCI Compliance Training

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

PCI Data Security and Classification Standards Summary

PCI Compliance. Top 10 Questions & Answers

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

Corporate and Payment Card Industry (PCI) compliance

Miami University. Payment Card Data Security Policy

Enforcing PCI Data Security Standard Compliance

P R O G R E S S I V E S O L U T I O N S

Information Technology

Safe and Sound Processing Telephone Payments Securely. A white paper from Barclaycard and Visa Europe leading the way in secure payments April 2015

Credit Card Handling Security Standards

CSU, Chico Credit Card PCI-DSS Risk Assessment

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

Becoming PCI Compliant

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

PCI DSS Requirements - Security Controls and Processes

Payment Card Industry Self-Assessment Questionnaire

Payment Card Industry Compliance

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Frequently Asked Questions

Project Title slide Project: PCI. Are You At Risk?

PCI Compliance Top 10 Questions and Answers

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Data Security for the Hospitality

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

PCI Compliance. by: David Koston

White Paper On. PCI DSS Compliance And Voice Recording Implications

A Rackspace White Paper Spring 2010

Your Compliance Classification Level and What it Means

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Need to be PCI DSS compliant and reduce the risk of fraud?

Payment Card Industry Data Security Standard C-VT Guide

Payment Card Industry Data Security Standard

Standard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: March Information Supplement: Protecting Telephone-based Payment Card Data

UNL PAYMENT CARD POLICY AND PROCEDURES. Table of Contents

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

How to complete the Secure Internet Site Declaration (SISD) form

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Presented By: Bryan Miller CCIE, CISSP

MICROS Customer Support

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

NETePay 5.0. FDMS Nashville. Installation & Configuration Guide. Part Number:

Information Sheet. PCI DSS Overview

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Implementation Guide for PCI Compliance Microsoft Dynamics RMS

PA-DSS Implementation Guide: Steps to ensure that your POS system is secure

PCI Data Security Standards

PCI v2.0 Compliance for Wireless LAN

Payment Card Industry - Achieving PCI Compliance Steps Steps

Client Security Risk Assessment Questionnaire

Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP)

Table of Contents. BAR CODES Entering Bar Codes within EBMS Bar codes for inventory items Scanning Bar Codes...

Please note that in VISA s vernacular this security program for merchants is sometimes called CISP (cardholder information security program).

3M SelfCheck Self-Pay Software. Implementation Guide

Implementation Guide for PCI Compliance Microsoft Dynamics AX 2012

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Policies and Procedures

PCI Compliance Security Awareness Program For Marine Corps Community Services Contacts: Paul Watson

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Beef O Brady's. Security Review. Powered by

PCI General Policy. Effective Date: August Approval: December 17, Maintenance of Policy: Office of Student Accounts REFERENCE DOCUMENTS:

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

SonicWALL PCI 1.1 Self-Assessment Questionnaire

Transcription:

paypoint implementation guide 5.02.01 / 5.06.06 / 5.06.09 5.08.09 / 5.09.06 / 5.10.04

PCI PA-DSS Implementation guide 1. Introduction This PA-DSS Implementation Guide contains information for proper use of the paypoint application. Verifone Norway AS does not possess the authority to state that a merchant may be deemed PCI Compliant if information contained within this document is followed. Each merchant is responsible for creating a PCI-compliant environment. The purpose of this guide is to provide the information needed during installation and operation of the paypoint application in a manner that will support a merchant s PCI DSS compliance efforts. 1.1 Intended audience and document use The PA-DSS Implementation guide must be read and understood by all operating the terminal, including resellers, ECR integrators, support organizations and the merchant controlling the terminal. The guide should be used by assessors conducting onsite reviews and for merchants who must validate their compliance with the PCI DSS requirements. This guide and the training material are reviewed annually and updated if needed due to changes in paypoint or the PCI PA-DSS requirements. The latest version of this document are distributed with every new release, it can also be downloaded from: http://www.verifone.no/betalingsterminaler/ 1.2 PCI DSS The Payment Card Industry Data Security Standard (PCI-DSS) defines a set of requirements for the configuration, operation, and security of payment card transactions in your business. If you use paypoint in your business to store, process, or transmit payment card information, this standard and this guide apply to you. Failure to comply with these standards and requirements can result in significant fines if a security breach should occur. 1.3 PCI PA-DSS The Payment Card Industry has also set the requirements for software applications that store, process or transmit cardholder data. These requirements are defined by the Payment Card Industry Payment Application Data Security Standard (PCI PA-DSS). In order to facilitate for you to get a PCI DSS assessment the paypoint software application has been reviewed by a QSA (Qualified Security Assessor) to comply with the PCI PA-DSS requirements. 2 Paypoint and PCI PA-DSS Note: This section refers to payment terminals with paypoint software versions listed on the PCI web site: List of Validated Payment Applications. If you cannot find the version running on your terminal on that list please contact Point Support in order to upgrade your terminal. 2.1 PA-DSS Compliance This section describes why and how paypoint can be implemented in a way that should facilitate and support PCI DSS compliance if installed in a PCI DSS compliant environment. All encryption operations are handled automatically by the terminal and it is not configurable and can not be changed by any user. Encryption can not be turned off for transmission nor storage. 2.2 Sensitive data and cardholder data Sensitive data: full magstripe data, CVC2, CVV2, PIN and PIN block Cardholder data: full PAN (card number), name, service code, and expiry date 2.2.1 Transmission Paypoint encrypts sensitive data and card holder data using triple DES with a unique key per transaction. On top of that, the entire message sent to and from paypoint must be protected using either paypoint VPN or a VPN service provided by your network provider 2

NETS will only allow connections to their production systems from an approved VPN connection. This means that you either must use a NETS access VPN service from your network provider or activate paypoint VPN in the terminal. If you are using a wireless network, WLAN, you must set up your wireless network to use WPA/WPA2 encryption. The WLAN encryption is applied on top of the triple DES encryption and paypoint VPN implemented in the paypoint terminal. Paypoint will not allow you to use WEP (WEP is not allowed to be used for POS terminals after June 30 2010). 2.2.2 Storage According to PCI DSS storage of sensitive authentication data after authorization is not allowed. Storage of cardholder data will require protection. Your paypoint terminal will not store any sensitive authentication data at any time. payment application handles all deleting and re-encryption of cardholder data the merchant does not need to take any action to delete cardholder data. 2.2.3 Receipts, display and ECR Your paypoint terminal will not disclose any cardholder data in the display, on the receipt or to the ECR, only the last 4 digits of the PAN are available on the receipts. The paypoint terminal will not accept any cardholder data from any external device. 2.3 Special functionality and configuration that will require extra protection If you have configured your terminal with the settings or use some of the functionality listed below you are handling carddata, which should be handled as defined in the PCI DSS requirements. These include secure storage with restricted access and deletion when not needed anymore. Cardholder data should not be stored longer than required for your business needs. All cryptographic material and keys are automatically rendered irretrievable when not needed anymore. This is absolutely necessary for PCI-DSS compliance. Your paypoint terminal will not store any PANs without protection. The PAN is either encrypted, masked or truncated when stored and is deleted when not needed. For offline transactions and pre-authorizations temporarily stored in the terminal the PAN, service code and expiry date are stored encrypted. After online processing these data are deleted. Encrypted cardholder data exceeding the retention period is automatically deleted by paypoint. Historical data exceeding the retention period is automatic re-encrypted with new keys by paypoint. Cardholder data are only stored inside the terminal and since the 3 2.3.1 Manual entry In case you need to enter card numbers manually or if you have to do voice referrals you must never keep written copies or otherwise store copies of the CVC/CVV2. We also recommend not to keep written copies of the cardholder data (PAN and expiration date). 2.3.2 bank axept offline For bank axept cards, the Norwegian debit card, BSK mandates that the PAN is printed on the merchant copy of offline backup solution receipts. It is important that these receipts are handled in a secure way and not stored longer than necessary. Bank axept cards are technically out of scope of PCI-DSS, but BSK require that such receipts are handled according to the PCI DSS requirements.

2.4 Paypoint can be installed in a PCI DSS compliant environment Paypoint facilitate and support installation in a PCI-DSS compliant environment because: - When upgraded to a PCI PA-DSS compliant version of paypoint all previously stored historical sensitive data are automatically deleted securely and all cardholder data are either deleted or encrypted according to the PA-DSS requirements - A paypoint terminal can operate behind a firewall. Please contact Verifone or read paypoint installation manual for the relevant info. - The paypoint terminals can not be accessed remotely - Paypoint can not be used for e-mails or internet activities - The software of your paypoint terminal is automatically updated when necessary. All software downloaded to the terminal is controlled by Point and paypoint has mechanisms to ensure that software can be downloaded from trusted sources only. These mechanisms are based on digital signatures. This is absolutely necessary for PCI-DSS compliance. 3 Merchant environment and responsibilities 3.1 General requirements for PCI DSS compliance In order for your organization to comply with PCI DSS requirements it is absolutely necessary: For manually entered PANs and for voice referrals it is never allowed to write down or otherwise store PAN, expiration date or CVC/CVV2. Implement and maintain a security policy that addresses information security for employees and contractors including the list below: o If you are using a wireless network, WLAN, you must make sure that: Your wireless network uses WPA/WPA2 encryption for authentication and transmission. The firmware on all wireless devices must be updated to support strong encryption for authentication and transmission. Encryption keys are changed (as described under wlan setup): from vendor defaults at installation anytime someone with knowledge of the keys leaves the company or changes position at least annually Default SNMP community strings on wireless devices are changed Other security related vendor defaults like logins, password and SSID must be changed. o If you are using wireless network within your business you must make sure that firewalls are installed that deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the environment of the paypoint terminal. o Cardholder data must never be stored on servers connected to the internet or sent by open communication links like e-mail or fax. 4

3.2 PCI DSS recommendations In order for your organisation to comply with PCI DSS requirements it is recommended to: Any applicable terminal management system used as part of an authenticated remote software distribution framework for the PED should be evaluated by a QSA as part of any PCI DSS assessment. Make sure that historical data (magnetic stripe data, cardholder data and CVV2s) are removed from all storage devices used in your system, ECRs, PCs, servers etc. For further details please refer to your vendor Implement and maintain a security policy that addresses information security for employees and contractors including: o Install and maintain a firewall to block any unauthorized traffic o Change any default passwords used to access your system and use secure passwords o You should keep your system up to date with anti-virus software, software updates, operating system updates, and any other security patches. o Assign individual user logins to all users o Review your system logs periodically to see which users are accessing your systems. o You should test your network connections (including wireless networks) periodically for vulnerabilities, and make use of network vulnerability scans. If you make any significant changes to your network, you should also test for vulnerabilities o Even in trouble shooting cases sensitive authentication data are not allowed to be collected by any support organization, including Point or the reseller. o Restrict access to any cardholder data handled or stored according to PCI DSS requirements and delete such data when not needed anymore. 5

3.3 Log of payment application activity PCI DSS compliant logging is always active and will always send the logs to Verifone s servers. In addition the payment terminal can be configured to send syslog messages to a syslog server operated by the merchant. The messages can be put into a centralized system log where they can be monitored or reviewed by the merchant. The logging can t be turned off since this will result in non compliance with PCI DSS. For more details about PCI DSS and PCI PA-DSS, please see the following link: http://www.pcisecuritystandards.org/ 3.3.1 Syslog Merchants who have a central log server and want logs from their paypoint terminals sent to their server can configure their terminals to send syslog messages by following the procedures in this chapter. How to configure the terminal to also send syslog messages to the merchant s server. Activate Send system log: Menu + Administration + Change settings + Communication + System log + Yes Configure the IP address for the syslog server: Menu + Administration + Change settings + Communication + TCP/IP innst + 13 TCP / IP log Configure the port the syslog server: Menu + Administration + Change settings + Communication + TCP/IP innst + TCP / IP port log Syslog logs all changes and connections from the terminal, and sends it to the server at the first opportunity. For more details about syslog and a description of the message format, see Syslog from paypoint - User Documentation. This document can be obtained by contacting Verifone. 6

Configuring communication If the paypoint terminal is behind a firewall, these TCP/IP-addresses and ports need to be available through the firewall. VeriFone Vx810/Vx820/Vx670/Vx680/Vx690 uses port 10760 as TCP/IP prog port. Sales Connector Terminals that use setup 1: Vx670 / Vx680 / Vx690 / Xenta / Xentissimo Terminals that use setup 2: Yomani / Yomani XR / Xenteo ECO / Xenoa ECO WLAN WLAN encryption keys and other WLAN settings can be changed in the WLAN menu: Menu + 5 Administation + 5 Change settings + 2 Installastion + 6 WLAN config WLAN config -Select Base 1-9 (1) SSID (2) WLAN-key (3) Encryption (4) Priorty (5) Delete base paypoint VPN NETS NEI JA TCP/IP prim 193.214.020.211 195.088.107.035 TCP/IP prim port 9100 9300 TCP/IP back 193.214.020.211 195.088.107.036 TCP/IP back port 9100 9300 Sales Connector Setup 1 Setup 2 TCP/IP prim 91.207.36.107 88.80.164.126 TCP/IP prim port 443 443 TCP/IP back 88.80.164.107 91.207.36.128 TCP/IP back port 443 443 TCP/IP prog 062.092.014.217 TCP/IP prog port 5214 / 10760 TCP/IP adm 195.088.107.033 TCP/IP adm port 2610 TCP/IP ecr xxx.xxx.xxx.xxx TCP/IP ecr port 9550 7

Support Support can be directed to your reseller, or directly to Verifone support on tlf. 81502200 or support@verifone.no. Check also the Support page on our homepage: www.verifone.no Verifone Norway AS Postal address: Postboks 73 0508 Oslo Street address: Østre Aker vei 24 N-0581 OSLO Latest version of this document can be found at : http://www.verifone.no/betalingsterminaler/ Versjon 3.9 27.03.15 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information